am: 63067284f1 -s ours
am skip reason: change_id I3bd1b2262dc6dcb099403d24611db66aac9aecb0 with SHA1 ae68bf23b6 is in history
Change-Id: I177f0150b4d4ba19841a19fee6d8f15a49cd7fc3
am: 5a56156bcc -s ours
am skip reason: change_id I5af4d01e17f2d37335f523a49c7b1f81886edfa2 with SHA1 210cdc6fa4 is in history
Change-Id: I97fb79ff555ecffdef5f8e88e4022e076083f7f8
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d2)
am: 9bb7844efa -s ours
am skip reason: change_id Ieab51aeb67ebb85b6c778410ba96963612277ae4 with SHA1 afa10f7223 is in history
Change-Id: Ie31a3810a21ee64be15310e62ecbec3da2f3abb8
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.
This fixes:
type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0
Test: built and observed no more avc denials on crosshatch
Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223)
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
These denials are intermittent and unnecessary. Hide them while we
investigate how to properly fix the issue.
Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
am: 24c34d9379 -s ours
am skip reason: change_id Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51 with SHA1 033177893f is in history
Change-Id: I314c22213119cf0ab158af75d4efce2c5ac8f8a4
am: 033177893f -s ours
am skip reason: change_id Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51 with SHA1 761ce69a25 is in history
Change-Id: I800bd3f4dd594b9b7019e3439f57b6219330a3bc
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.
Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
Merged-In: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
am: 036a9b36a6 -s ours
am skip reason: change_id I8ac4c2f98f823120060e51438b39254898f4a27e with SHA1 8fa5ebdee7 is in history
Change-Id: I231eaa6f3cd4be79429dc16c202c2179e618095e
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
Merged-In: I8ac4c2f98f823120060e51438b39254898f4a27e
(cherry picked from commit 8fa5ebdee7)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6
("selinux: support distinctions among all network address families")
modified the kernel to support fine grain differentiation of socket
families, if userspace enables it (which Android does).
Modify the mtp SELinux policy to allow the use of pppox_socket
(needed for kernels 4.14 or greater) and the generic "socket" family
(for kernels below 4.14).
Bug: 130852066
Test: compiles
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I8ac4c2f98f823120060e51438b39254898f4a27e
VTS tests are run after flashing a GSI image on the device.
The properties ro.boot.dynamic_partitions and ro.boot.dynamic_partitions_retrofit
are currently placed in product partition and will be overwritten by the GSI image.
We need to move these properties to vendor partition so that they will be available
even after the device is flashed with GSI.
Bug: 132197773
Test: build and flash, adb getprop ro.boot.dynamic_partitions
Change-Id: Ib04896ef744d8d2daa5cb3feee2cbf45aae2ba51
am: 532980fb0b -s ours
am skip reason: change_id Ib501c755e11ec8a3a22c8aa333b5af7ec0bff306 with SHA1 6450e0038b is in history
Change-Id: I10dcd1aaa9a52c3a0c072df120a275fabb005f69
am: 64aa71a430 -s ours
am skip reason: change_id I00cc07108acaac5f2519ad0093d9db9572e325dc with SHA1 e9cafb91d2 is in history
Change-Id: I628299e76a69617b73f4be8588f9fae83f5f0e88